[PATCH] Add support for XKCD-style wordlist passwords

Matthieu Weber mweber at free.fr
Tue Oct 30 12:10:55 CET 2018 

On Tue, 30 Oct 2018 at 10:33AM +0100, Kjetil Torgrim Homme wrote:
> Den 30. okt. 2018 08:25, skreiv Lenz Weber:
> > Is this something that pass needs? Or, more crass: should it offer this
> > feature or should it be considered harmful?
> > 
> > The point of pass, or any password manager, is not having to remember or
> > even know your password.
> 
> yes, but sometimes you need to enter this password by hand.  I use horse
> battery passwords when I might need to enter the password on a mobile
> phone or on a console in a chilly data centre in the middle of the
> night.  both of these will often have problems with strange characters
> or keyboard layouts (is "&" on Shift 6 or Shift 7?  since there is often
> no echo, there is no way to be sure!)

So you want passwords that are easy to type: generate passwords that are
made entirely of lowercase letters, all you need is 40% more characters
to have the same entropy as a password made of alphanumerics+symbols
i.e., 11 characters instead of 8. They will be easy enough to type even
on exotic keyboards, and can be generated using only tools that pass
uses already. All you need is to add to “pass generate” an option to
reduce $CHARACTER_SET to [:lower:].
 
> average length of 13 characters.  this doesn't really help entropy,
> though.  489533 distinct words give 18.9 bits of entropy each, so the
> above pass phrases (of four words) have 75 bits, or 5.74e+22.  still not
> a huge amount, but the attacker would have to know that this is the
> method I use to make pass phrases to successfully reduce his search space.

You can get 75 bits of entropy with 16 lowercase letters or 14
mixed-case letters. That is surely easier to type than your example.

Matthieu
-- 
 (~._.~)            Matthieu Weber - mweber at free.fr              (~._.~)
  ( ? )                http://weber.fi.eu.org/                    ( ? ) 
 ()- -()          public key id : 0x85CB340EFCD5E0B3             ()- -()
 (_)-(_) "Humor ist, wenn man trotzdem lacht (Otto J. Bierbaum)" (_)-(_)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20181030/3fd84db5/attachment.asc>

More information about the Password-Store mailing list